SUPPLEMENTAL AGREEMENT FOR SUPPLY OF ePLATFORM SERVICES
BY WHEELER’S BOOK CLUB LIMITED
This Agreement is supplementary to the existing Agreement for Supply of ePlatform Services between the Library and Wheeler’s Book Club Limited (“ePlatform Agreement”), and is required so that the ePlatform Agreement includes the terms that the General Data Protection Regulation (EU 2016/679) stipulates must be included in contracts of this nature.
These supplementary terms shall be effective from 25 May 2018 and shall be deemed to be incorporated into the ePlatform Agreement. Continued use of the Services by the Library shall constitute acceptance of these supplementary terms.
TERMS AND CONDITIONS
- Definitions and interpretation
1.1 In this Agreement:
Agreement means the ePlatform Agreement and this agreement.
Data means all Personal Data collected, generated or otherwise processed by Wheelers as a result of, or in connection with, the provision of the Services.
Data Subject means an individual who is the subject of Personal Data.
EEA means the European Economic Area.
ePlatform Agreement means the most recent Agreement for Supply of ePlatform Services entered into between the Library and Wheelers.
GDPR means the General Data Protection Regulation (EU 2016/679).
Personal Data has the meaning given to it under GDPR.
Relevant Law means the laws of the European Union or the laws of a member state of the European Union.
Sub‑Processor has the meaning set out in Clause 3.1.
Supervisory Authority means any data protection authority with jurisdiction over the processing of the Data.
1.1 Terms used in this agreement have the same meaning as ascribed to them in the ePlatform Agreement unless a contrary intention is expressly stated.
2. Data Processing
2.1 Wheelers may only process Data for the duration of the Agreement and within the scope of:
(a) the nature and purpose of processing;
(b) the types of Personal Data; and
(c) the categories of Data Subject,
set out in the Annexure.
2.2 Wheelers shall process the Personal Data only in accordance with the documented instructions of the Library (including in the Agreement), unless Supplier is required to process the Data for other reasons under Relevant Law to which Wheelers is subject. If Wheelers is required to process the Data for these other reasons, Wheelers shall inform the Library before carrying out the processing, unless prohibited by Relevant Law.
2.3 Wheelers shall immediately inform the Library if, in its opinion, an instruction from the Library infringes GDPR or other date protection provisions in Relevant Law.
2.4 Wheelers shall ensure that all persons authorised by Wheelers to process Data are bound by obligations of confidentiality.
2.5 Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Wheelers shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including as appropriate:
(a) the pseudonymisation and encryption of Personal Data
(b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
(c) the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident; and
(d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
2.6 In assessing the appropriate level of security, Wheelers shall take into account the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data transmitted, stored or otherwise processed.
2.7 Wheelers shall take steps to ensure that any natural person acting under the authority of Wheelers who has access to Personal Data does not process such data except within the authority from the Library referred to in clause 2.2, unless he or she is required to do so by Relevant Law.
3.1 Wheelers shall not engage any third party to carry out processing in connection with the Services (Sub‑Processor) without prior specific or general authorisation of the Library. In the case of general written authorisation, Wheelers shall inform the Library of any intended changes concerning the addition or replacement of other processors, thereby giving the Library the opportunity to object to such changes.
3.2 Where Wheelers engages a Sub-Processor for carrying out specific processing activities on behalf of the Library, the same data protection obligations as set out in this agreement shall be imposed on that Sub-Processor by way of a contract or other legal act under Relevant Law. Where the Sub-Processor fails to fulfil its data protection obligations, Wheelers shall remain fully liable to the Library for the performance of the Sub-Processor’s obligations.
4. Co-operation with the Library
4.1 Taking into account the nature of the processing, Wheelers shall assist the Library by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Library’s obligation to respond to requests for exercising the Data Subject's rights laid down in Chapter III of GDPR.
4.2 Wheelers shall assist the Library in ensuring compliance with the obligations pursuant to Articles 32 to 36 of GDPR taking into account the nature of processing and the information available to Wheelers.
4.3 At the choice of the Library, Wheelers shall delete or return all the Personal Data to the Library after the end of the provision of Services relating to processing, and shall delete existing copies unless Relevant Law requires storage of the Personal Data.
4.4 Wheelers shall make available to the Library all information necessary to demonstrate compliance with the obligations laid down in this agreement and allow for and contribute to audits, including inspections, conducted by the Library or another auditor mandated by the Library.
Nature and Purpose of Processing
Logging in to the Library lending platform (by Data Subjects) is managed (by Wheelers) through a variety of authentication methods including LDAP, SAML SSO, SIP2, OpenID and FTP. In a number of these cases the Library to whom Wheelers is providing Services sends Personal Data to Wheelers to enable this authentication to occur accurately.
Type of Personal Data to be Processed
The Personal Data Wheelers receives on Library patrons may include:
- Year level, for restricting access of certain titles to certain age groups
- Birthdate, if year level is not chosen by the Library
- Name, if barcode is not chosen by the Library
- Email (used to notify availability of a title that has been reserved)
Categories of Data Subject whose Personal Data will be Processed
- Patrons of a Library which has contracted with Wheelers to provide an eBook/Audio lending platform
- Students at a school Library which has contracted with Wheelers to provide an eBook/Audio lending platform
- Teachers at a school Library which has contracted with Wheelers to provide an eBook/Audio lending platform;